kotovalexarian-likes-github
/
sinatra
mirror of https://github.com/sinatra/sinatra
1
0
Fork 0
Code Releases Activity
sinatra/rack-protection/spec/lib/rack/protection/json_csrf_spec.rb

101 lines
2.9 KiB
Ruby
Raw Blame History

describe Rack::Protection::JsonCsrf do
it_behaves_like "any rack application"
module DummyAppWithBody
module Closeable
def close
@closed = true
end
def closed?
@closed
end
end
def self.body
@body ||= begin
body = ['ok']
body.extend(Closeable)
body
end
end
def self.call(env)
Thread.current[:last_env] = env
[200, {'Content-Type' => 'application/json'}, body]
end
end
describe 'json response' do
before do
mock_app { |e| [200, {'Content-Type' => 'application/json'}, []]}
end
it "denies get requests with json responses with a remote referrer" do
expect(get('/', {}, 'HTTP_REFERER' => 'http://evil.com')).not_to be_ok
end
it "closes the body returned by the app if it denies the get request" do
mock_app DummyAppWithBody do |e|
[200, {'Content-Type' => 'application/json'}, []]
end
get('/', {}, 'HTTP_REFERER' => 'http://evil.com')
expect(DummyAppWithBody.body).to be_closed
end
it "accepts requests with json responses with a remote referrer when allow_if is true" do
mock_app do
use Rack::Protection::JsonCsrf, :allow_if => lambda{|env| env['HTTP_REFERER'] == 'http://good.com'}
run proc { |e| [200, {'Content-Type' => 'application/json'}, []]}
end
expect(get('/', {}, 'HTTP_REFERER' => 'http://good.com')).to be_ok
end
it "accepts requests with json responses with a remote referrer when there's an origin header set" do
expect(get('/', {}, 'HTTP_REFERER' => 'http://good.com', 'HTTP_ORIGIN' => 'http://good.com')).to be_ok
end
it "accepts requests with json responses with a remote referrer when there's an x-origin header set" do
expect(get('/', {}, 'HTTP_REFERER' => 'http://good.com', 'HTTP_X_ORIGIN' => 'http://good.com')).to be_ok
end
it "accepts get requests with json responses with a local referrer" do
expect(get('/', {}, 'HTTP_REFERER' => '/')).to be_ok
end
it "accepts get requests with json responses with no referrer" do
expect(get('/', {})).to be_ok
end
it "accepts XHR requests" do
expect(get('/', {}, 'HTTP_REFERER' => 'http://evil.com', 'HTTP_X_REQUESTED_WITH' => 'XMLHttpRequest')).to be_ok
end
end
describe 'not json response' do
it "accepts get requests with 304 headers" do
mock_app { |e| [304, {}, []]}
expect(get('/', {}).status).to eq(304)
end
end
describe 'with drop_session as default reaction' do
it 'still denies' do
mock_app do
use Rack::Protection, :reaction => :drop_session
run proc { |e| [200, {'Content-Type' => 'application/json'}, []]}
end
session = {:foo => :bar}
get('/', {}, 'HTTP_REFERER' => 'http://evil.com', 'rack.session' => session)
expect(last_response).not_to be_ok
end
end
end
View Git Blame Copy Permalink